topic How to permit only OPC protocol traffic through CISCO ASA 5505 in Network Security

How to permit only OPC protocol traffic through CISCO ASA 5505

PelekhovIS — Tue, 12 Mar 2019 05:04:31 GMT

Hello, I have a trouble with OPC protocol on cisco ASA 5505. I'd like to ask for help: we need to flow only OPC protocol(based on DCOM and MS RPC) through the ASA 5505 K8. Do you have any solutions?

I will be grateful for help.

Hi PelekhovlS,Could you

Murali — Thu, 13 Nov 2014 13:07:27 GMT

Hi PelekhovlS,

Could you please explain your problem in detail , what issue exactly you are facing with ASA so that we can guide you.

Hi murali438,We have server

PelekhovIS — Fri, 14 Nov 2014 01:05:39 GMT

Hi murali438,

We have server with OPC server machine then ASA 5505 then OPC client machine. Our security departament insists to permit only OPC traffic between OPC-server and OPC-client.

OPC protocol uses dinamic windows port range( winxp 1025-5000, vista+ 49192- 65535) and 135 port as endpoint mapper. It means that after connection to server to 135 port endpoint mapper(at server) chooses random port to OPC communication iside of dinamic range and then server and client communicate via that random port.Our security departament forbids just to open this dinamic ranges on ASA 5505 because it's a big security hole. Configuring server matchine to limit dinamic range does not work correctly. Is there a way or built-in inspection( I heard about DCEPRC, is that a solution?) to repmit only OPC traffic?

According to my knowledge

Murali — Fri, 14 Nov 2014 03:39:36 GMT

According to my knowledge cisco asa can only inspect below applications (i don't know about latest model but this is on 8.4). DCEPRC might be pefect solution for you but the catch is

"DCERPC inspection only supports communication between an EPM server and clients to open pinholes through the ASA. Clients using RPC communication that does not use an EPM server is not supported with DCERPC inspection"

And i'm afraid we can't create an inspection policy for custom applications.

ASA1(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
sqlnet
sunrpc
tftp
waas
xdmcp

This is how it works (excerpts from the link mentioned at the bottom)

Step 1 A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.

Step 2 The ASA, located between the client and EPM server, intercepts the communication.

Step 3 The EPM server indicates the port number on which the DCERPC service is available.

Step 4 The ASA opens a pinhole for that DCERPC service

Step 5 Using that pinhole, the client attempts to connect to the DCERPC service on the indicated port.

Step 6 The ASA detects that the connection is permitted and creates a secondary connection to the server instance providing the DCERPC service. When creating the secondary connection, the ASA applies NAT if necessary.

You might already have it but in case

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html

HiYou might want to look at

johnd2310 — Thu, 20 Nov 2014 02:32:02 GMT

You might want to look at OPC Tunnellers. They are useful for getting around firewall issues.

Thanks

John

Thanks a lot for your help.

PelekhovIS — Wed, 10 Dec 2014 01:49:28 GMT

Thanks a lot for your help.

your welcome ! Please mark

Murali — Wed, 10 Dec 2014 06:42:56 GMT

your welcome !

Please mark the posts as correct / rate if it helped or solved your problem.

Thanks

Murali

Re: Thanks a lot for your help.

QUARK TARO — Thu, 12 Oct 2017 14:05:09 GMT

Hi, were you able to establish OPC DA, HDA, A&E with DCE RPC inspection?